Guest

Preview Tool

Cisco Bug: CSCvs22608 - Regarding disabled SID still being detected from Snort Rules Profiling

Last Modified

Sep 03, 2020

Products (1)

  • Sourcefire Defense Center

Known Affected Releases

6.2.3.15

Description (partial)

Symptom:
disabled rules from GUI still being detected from Rule Profile Statistics by running "system support run-rule-profiling 15" on Sensor, and even utilizing Snort's processing time.

SID (3665,3666) were disabled:
Nov 19 01:31:49 SKTX-FirePower-IDS-OA snort[15072]: Rule Profile Statistics (all rules)
Nov 19 01:31:49 SKTX-FirePower-IDS-OA snort[15072]: ==========================================================
Nov 19 01:31:49 SKTX-FirePower-IDS-OA snort[15072]:    Num      SID GID Rev     Checks   Matches    Alerts           Microsecs  Avg/Check  Avg/Match Avg/Nonmatch   Disabled
Nov 19 01:31:49 SKTX-FirePower-IDS-OA snort[15072]:    ===      === === ===     ======   =======    ======           =========  =========  ========= ============   ========
Nov 19 01:31:49 SKTX-FirePower-IDS-OA snort[15072]:      1    50462   1   1    1084246         0         0             2971946        2.7        0.0          2.7          1
Nov 19 01:31:49 SKTX-FirePower-IDS-OA snort[15072]:      2    51547   1   1      21993         0         0             2620975      119.2        0.0        119.2          3
Nov 19 01:31:49 SKTX-FirePower-IDS-OA snort[15072]:      3    12618   1  11     141318         0         0             1700279       12.0        0.0         12.0          3
Nov 19 01:31:49 SKTX-FirePower-IDS-OA snort[15072]:      4     3665   1  10    1779532         0         0             1667355        0.9        0.0          0.9          0
Nov 19 01:31:49 SKTX-FirePower-IDS-OA snort[15072]:      5    38642   1   3    3030357         0         0             1536309        0.5        0.0          0.5          4
Nov 19 01:31:49 SKTX-FirePower-IDS-OA snort[15072]:      6     3666   1  12    1757095         0         0             1367062        0.8        0.0          0.8          4

Output from 15072
1:50462: 0.60% of Snort's time, 5.31% of packets analyzed, 2.7 average time per packet, 0.0 microsecs/match
1:51547: 0.53% of Snort's time, 0.11% of packets analyzed, 119.2 average time per packet, 0.0 microsecs/match
1:12618: 0.34% of Snort's time, 0.69% of packets analyzed, 12.0 average time per packet, 0.0 microsecs/match
1:3665: 0.34% of Snort's time, 8.72% of packets analyzed, 0.9 average time per packet, 0.0 microsecs/match
1:38642: 0.31% of Snort's time, 14.84% of packets analyzed, 0.5 average time per packet, 0.0 microsecs/match
1:3666: 0.28% of Snort's time, 8.61% of packets analyzed, 0.8 average time per packet, 0.0 microsecs/match

Conditions:
unknown
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.